Information Security News | AI Aggregator

President Trump released a cyber strategy emphasizing offensive operations, securing federal networks, and enhancing the cybersecurity workforce. Key pillars include shaping adversary behavior, modernizing federal networks with technologies like post-quantum cryptography, and securing critical infrastructure. An executive order was signed to prioritize cybercrime prosecution and improve agency tools against international criminal organizations. While some praised the strategy's focus on deterrence and AI, critics noted its vagueness and lack of actionable plans.

The White House released President Trump's cybersecurity strategy, emphasizing offensive operations as central to US policy. Developed by the Office of the National Cyber Director, the seven-page document focuses on disrupting adversaries, deregulating industry, and accelerating AI adoption, while also addressing the defense of federal systems and critical infrastructure. This shift prioritizes offensive measures over traditional deterrence, garnering significant attention in the cybersecurity landscape.

The White House released "President Trump’s Cyber Strategy for America," outlining a proactive approach to cybersecurity as a strategic domain. Key pillars include building a cyber workforce, shaping adversary behavior through offensive operations, promoting streamlined regulations, modernizing federal networks with zero-trust and AI, securing critical infrastructure, and sustaining technological superiority in AI and cryptography. The strategy emphasizes collaboration between government and private sectors to enhance resilience against cyber threats.

US President Trump signed an executive order on Friday prioritizing the fight against foreign scams and cybercrime, directing the Attorney General to focus on cyber fraud, ransomware, and phishing. The order mandates a victim restoration program and calls for pressure on foreign governments harboring cybercriminals. Concurrently, a new Cyber Strategy emphasizes public-private partnerships for offensive cyber operations and AI integration in government cybersecurity efforts.

Mozilla's Firefox has enhanced security through collaboration with Anthropic's AI, which identified 14 high-severity bugs, resulting in 22 CVEs being issued and fixed. However, about 10-15% of Firefox crashes are attributed to hardware issues like bit flips, often caused by faulty memory. Mozilla received 470,000 crash reports, with 25,000 potentially linked to these memory errors. While AI aids in vulnerability detection, hardware errors remain outside Mozilla's control, highlighting ongoing risks in device reliability.

Anthropic discovered 22 vulnerabilities in Firefox, including 14 high-severity, during a partnership with Mozilla. The vulnerabilities were identified in January 2026 and addressed in Firefox 148. Notably, a use-after-free bug was found in just 20 minutes. The AI model, Claude Opus 4.6, was more effective at finding vulnerabilities than exploiting them, successfully creating exploits for only two out of hundreds of tests. Mozilla reported that this AI-assisted approach has led to the discovery of 90 additional bugs, enhancing security analysis.

Anthropic's Claude Opus 4.6 identified 22 vulnerabilities in Firefox, primarily high-severity, which were addressed in Firefox 148 released in January 2026. The AI model demonstrated rapid detection capabilities, finding 112 unique reports across nearly 6,000 C++ files. While it struggled to exploit vulnerabilities, successfully creating functional exploits in only two cases, this highlights the potential risks of AI in offensive security. Mozilla noted that AI-assisted analysis has uncovered 90 additional bugs, emphasizing its growing role in security.

Microsoft warns of a ClickFix campaign exploiting Windows Terminal to deliver Lumma Stealer malware through social engineering. Discovered in February 2026, attackers guide users to launch Terminal using Windows + X → I, bypassing traditional detection methods. Users are tricked into executing hex-encoded commands that download and execute malicious payloads, leading to credential theft from browsers. Microsoft Defender provides guidance on defending against this campaign.

A new ClickFix scam targets Windows users by tricking them into launching Windows Terminal and executing a malicious command that installs the Lumma infostealer. This campaign, identified by Microsoft Threat Intelligence, began in February and uses social engineering tactics to convince users to paste commands under the guise of troubleshooting. The attack can establish persistence, modify Microsoft Defender settings, and steal credentials from browsers like Chrome and Edge.

A new ClickFix attack exploits Windows Terminal to execute malicious payloads. This attack takes advantage of vulnerabilities in the terminal application, allowing attackers to bypass security measures and execute arbitrary code. Organizations are advised to update their Windows Terminal software to the latest version to mitigate risks. Monitoring for unusual terminal activity and implementing strict access controls are also recommended to enhance security against such threats.

Threat actors are employing a new tactic in ClickFix phishing attacks, as reported by Microsoft. Instead of instructing victims to use the Run dialog, they now direct them to use the Windows + X → I shortcut to open Windows Terminal (wt.exe). Once opened, victims are prompted to paste malicious PowerShell commands via fake CAPTCHA pages or other deceptive prompts that seem routine. This method aims to evade detection and successfully install malware on the victim's system.

Hackers have breached FBI networks, impacting a system for managing wiretaps and foreign intelligence surveillance warrants. The FBI confirmed it identified and addressed suspicious activities but provided limited details. This incident adds to a series of significant breaches involving U.S. government agencies, including previous attacks by Chinese and Russian hackers on various organizations. The FBI also reported that the Chinese hacking group Salt Typhoon has compromised at least 200 U.S. companies, including major telecom providers.

The FBI is investigating a cyber-incident affecting its wiretap and surveillance systems, confirming suspicious activity on its internal networks. While specific details were not disclosed, reports indicate that the breach involved systems managing wiretapping and foreign intelligence surveillance warrants. Media speculation points to the Chinese group Salt Typhoon as a potential actor, known for previous high-level cyber-espionage against U.S. telecommunications providers.

The FBI has reported a suspected incident involving unauthorized access to a network managing wiretaps and foreign intelligence surveillance warrants. The agency confirmed it identified and addressed suspicious activities on its networks, utilizing all technical capabilities for response. Concerns arise that this incident may be linked to state-sponsored actors, particularly given previous warnings about attacks from the Chinese ransomware group, Ghost, targeting US organizations.

The FBI is investigating a breach involving its wiretap and critical surveillance systems, which may have compromised sensitive information. The incident raises concerns about the security of law enforcement tools and the potential for unauthorized access to surveillance data. The FBI has not disclosed specific details about the attack or the extent of the breach, but it emphasizes the importance of safeguarding its systems against cyber threats. Further updates are expected as the investigation continues.

The FBI is investigating suspicious cyber activity on an internal system managing sensitive surveillance data, initiated on February 17, 2026. The unclassified system contains law enforcement sensitive information, including pen register data and personally identifiable information. The FBI confirmed addressing the suspicious activities using technical capabilities but did not disclose further details or identify the attackers, who employed sophisticated techniques, potentially linked to foreign espionage efforts.

The FBI is investigating a breach affecting its wiretapping and surveillance systems, identified on February 17. The unclassified system contained sensitive law enforcement information, including personally identifiable information. The breach is linked to China's Salt Typhoon group, known for hacking U.S. telecommunications. Europol recently dismantled the Tycoon2FA phishing platform, which facilitated extensive phishing attacks, and the LeakBase data marketplace. LastPass warned users of a phishing campaign mimicking internal emails.

Iranian hacking group MuddyWater has targeted U.S. networks, including banks and airports, embedding a new backdoor called Dindoor, leveraging the Deno JavaScript runtime. The campaign began in early February, coinciding with military tensions. Data exfiltration attempts were made using Rclone. A separate Python backdoor, Fakeset, was also found. The Canadian Centre for Cyber Security warns of potential retaliatory attacks against critical infrastructure. Organizations are advised to enhance cybersecurity measures and remain vigilant.

An Iran-linked APT group, Seedworm, has targeted multiple US organizations since early February 2026, including a bank, an airport, and non-profits, using new backdoors named Dindoor and Fakeset. These backdoors are linked to espionage efforts, with attempts to exfiltrate data to cloud storage. Researchers noted the group's extensive targeting of various organizations and exploitation of multiple CVEs. An exposed VPS revealed insights into Seedworm's operations, showcasing their adaptability and broad operational scope.

Iranian hacking group MuddyWater has targeted several US firms, including a bank and an airport, using a new backdoor named 'Dindoor.' Detected by Broadcom's Symantec and Carbon Black, the campaign began in early February. The Dindoor backdoor, leveraging Deno, was found on networks of affected organizations, with attempts to exfiltrate data noted. A Python backdoor called Fakeset was also discovered at the airport. Both backdoors were signed with certificates linked to MuddyWater, indicating ongoing threats to other organizations.

Iran-linked APT MuddyWater has targeted U.S. organizations since February 2026, deploying a new backdoor named Dindoor across sectors such as banking, airports, and nonprofits. The malware, relying on the Deno runtime, was signed with a certificate linked to “Amy Cherne.” Victims include a U.S. bank and a defense software supplier in Israel. Researchers noted attempts to exfiltrate data using Rclone. The campaign reflects Iran's strategy of using cyber operations for disruption and espionage against perceived adversaries.

In 2025, Google reported that 48% of tracked zero-day vulnerabilities targeted enterprise technologies, a record high. Key affected vendors included Cisco, Fortinet, Ivanti, and VMWare, with common flaws like input validation exploited to breach defenses. Notably, the Clop gang compromised Oracle E-Business Suite, affecting organizations like Harvard and The Washington Post. The report also indicated a rise in zero-days attributed to surveillance vendors, reflecting a shift in government hacking tool access.

In 2025, Google tracked 90 zero-day vulnerabilities, with 43 targeting enterprise software, marking a rise in exploitation by China-linked cyber-espionage groups. Security and networking devices were most affected, with 21 enterprise-related zero-days. Notably, commercial surveillance vendors (CSVs) accounted for 15 zero-days, surpassing traditional state-sponsored groups. Microsoft had the highest number of exploited zero-days, followed by Google and Apple. The report highlights a shift towards targeting larger organizations for espionage.

In 2023, Google identified 90 zero-day vulnerabilities, with Chinese cyberespionage groups doubling their exploits. Commercial surveillance vendors surpassed state-sponsored hackers in targeting. Nearly half of the zero-days affected enterprise technologies, including security appliances, VPNs, and software platforms. The Google Threat Intelligence Group noted a critical risk from trusted edge infrastructure and highlighted the increasing exploitation of interconnected enterprise software, which accounted for 48% of zero-days last year.

Google's GTIG reported 90 zero-day vulnerabilities exploited in 2025, an increase from 78 in 2024, with 48% targeting enterprise technologies. Operating systems were the most exploited, with 39 flaws, while browser exploits fell below 10%. Commercial surveillance vendors surpassed state-sponsored groups in zero-day usage. Major tech vendors and security companies were frequent targets. Google anticipates AI will enhance both threat actor capabilities and defensive measures in 2026.

Enterprise tech firms faced significant zero-day exploit pressure in 2025, with 50% of the 90 tracked exploits targeting them. Microsoft was the most affected, with 25 zero-days, followed by Google (11) and Apple (8). Security applications and networking software were primary targets, with 23% of exploits aimed at these systems. Notably, commercial spyware vendors led zero-day attacks, surpassing state-sponsored groups, with 15 exploits linked to them compared to 12 attributed to state actors.

On March 5, Google Threat Intelligence Group reported a record high of 90 zero-day vulnerabilities in enterprise software for 2025, up from 78 in 2024 but down from 100 in 2023. Notably, 43 (48%) of these targeted enterprise software and appliances, indicating a shift in attacker focus. Among these, 21 targeted security and networking solutions, which are critical for unauthorized access and often overlooked by defenders. This trend highlights the increasing exploitation of enterprise infrastructure by cyber attackers.

In 2025, 90 zero-day vulnerabilities were exploited, with nearly half targeting enterprise-grade technology, according to Google Threat Intelligence Group. State-sponsored groups, particularly China-nexus actors, were responsible for at least 10 zero-days, including CVE-2025-21590 affecting Juniper MX routers. Notably, commercial surveillance vendors were involved in over one-third of attacks, surpassing state-sponsored groups. The report highlights AI's growing role in accelerating threat activities and vulnerability exploitation.

Google's Threat Intelligence Team reported tracking 90 zero-day vulnerabilities exploited in 2025, a decrease from 100 in 2023 but an increase from 78 in 2024. The report indicates a significant rise in enterprise-targeted exploits, which accounted for 48% of all zero-days. AI is expected to enhance both attack and defense capabilities, with attackers automating processes. Google advises defenders to prepare for inevitable compromises and suggests proactive measures for identifying and patching vulnerabilities.

Cisco has confirmed exploitation of two vulnerabilities in Catalyst SD-WAN Manager (CVE-2026-20128 and CVE-2026-20122) patched in February 2025. CVE-2026-20128 allows local attackers with valid credentials to gain DCA user privileges, while CVE-2026-20122 enables remote attackers to overwrite files and gain vmanage user privileges. Cisco recommends upgrading to fixed software. Additionally, 48 vulnerabilities were fixed in Cisco Secure Firewall, including two critical flaws (CVE-2026-20079 and CVE-2026-20131).

Cisco has confirmed active exploitation of two vulnerabilities in Catalyst SD-WAN Manager: CVE-2026-20122 (CVSS 7.1), allowing authenticated attackers to overwrite files, and CVE-2026-20128 (CVSS 5.5), enabling local attackers to gain DCA user privileges. Patches were released for various versions. Users are urged to update software, secure appliances, disable unnecessary services, change default passwords, and monitor log traffic. This follows a recent disclosure of a critical flaw (CVE-2026-20127, CVSS 10.0) exploited by a sophisticated actor.

Cisco has reported active exploitation of two vulnerabilities in its Catalyst SD-WAN Manager software: CVE-2026-20122 (CVSS 7.1) allows authenticated remote attackers to overwrite files, while CVE-2026-20128 (CVSS 5.5) enables local attackers to gain Data Collection Agent privileges. Cisco urges customers to upgrade to fixed software releases. This warning follows prior alerts about vulnerabilities CVE-2022-20775 and CVE-2026-20127, which are also under active attack by sophisticated threat actors.

Cisco warns of active exploitation of two recently patched Catalyst SD-WAN vulnerabilities, CVE-2026-20128 and CVE-2026-20122. These flaws allow attackers to gain root privileges and access sensitive information. Security patches were released on February 25, 2026. The vulnerabilities affect all Cisco Catalyst SD-WAN deployments. Cisco advises immediate updates to mitigate risks. The exploitation is linked to a sophisticated threat actor, tracked as UAT-8616, active since at least 2023.

Britain's ICO is investigating Meta's AI-powered smart glasses after reports that contractors reviewing footage captured private moments of users. The investigation, prompted by Swedish media, revealed that workers in Nairobi reviewed videos showing intimate scenes and personal information. The ICO expressed concern over data protection compliance under GDPR, emphasizing the need for transparency in data collection and usage. Meta stated that recordings are used to improve AI systems and can be managed by users.

Meta is facing a lawsuit filed on March 4, 2023, in the U.S. after a Swedish investigation revealed that overseas subcontractor workers may have accessed user-recorded footage from Meta's Ray-Ban smart glasses. The findings raise significant privacy concerns regarding how these recordings are handled and whether users were adequately informed about the potential review of their intimate footage.

Meta's smart AI glasses, developed with Ray-Ban, face scrutiny after reports revealed that intimate images and videos captured by users were accessed by outsourced workers for content labeling. An investigation highlighted privacy concerns, including unauthorized recordings in private settings. The Information Commissioner’s Office is questioning Meta's data processing transparency and compliance with UK regulations. Meta claims to have privacy protections, but concerns persist about user consent and data handling practices.

Meta's AI smart glasses, developed with Ray-Ban, face scrutiny over privacy issues after reports revealed that intimate images and videos captured by users were viewed by outsourced workers at a third-party firm, Sama. The Information Commissioner’s Office (ICO) is investigating whether Meta adequately communicates data processing practices to users. Concerns include unauthorized recordings and the handling of sensitive imagery. Meta claims to have privacy protections in place, but the investigation raises significant questions about user consent and data transparency.

Cisco has issued a critical advisory regarding a vulnerability in its Secure Firewall Management Center (FMC) Software, tracked as CVE-2026-20079. This flaw allows unauthenticated remote attackers to bypass authentication and execute scripts, gaining full root access. The vulnerability, with a CVSS score of 10.0, requires immediate attention. No workarounds exist; Cisco urges organizations to upgrade to fixed software versions. The advisory was published on March 4, 2026, following discovery by researcher Brandon Sakai.

Cisco released 25 security advisories on March 4, addressing 48 vulnerabilities in its Secure Firewall ASA, FMC, and FTD products. The most critical flaws, CVE-2026-20079 and CVE-2026-20131, both rated 10 CVSS, allow for authentication bypass and remote code execution, respectively. No workarounds exist; customers are urged to upgrade to the patched software. Additionally, 15 high-severity (CVSS 7.2-8.6) and 31 medium-severity (CVSS 4.3-6.8) vulnerabilities were also patched.

Cisco has issued a security advisory for a critical vulnerability in its Secure Firewall Management Center (FMC) software, rated CVSS 10.0. This flaw allows remote, unauthenticated attackers to execute arbitrary code, gaining root-level control. It arises from insecure deserialization in the web interface. Affected systems include Cisco Secure FMC and Cisco Security Cloud Control, while ASA and FTD software are not vulnerable. No workarounds exist; organizations must apply updates to mitigate risks. Prompt remediation is essential.

Cisco disclosed two critical vulnerabilities in its firewall management software, CVE-2026-20079 and CVE-2026-20131, which could allow unauthenticated remote attackers to gain root access to affected devices. CVE-2026-20079 enables script execution via an authentication bypass, while CVE-2026-20131 is a deserialization flaw allowing remote code execution. Cisco urges customers to upgrade to patched software, as there are no workarounds. The vulnerabilities were part of a biannual update addressing 48 issues across multiple products.

Cisco released emergency patches on March 4, 2026, addressing 25 security advisories and 48 CVEs for its firewall products. Notably, two critical vulnerabilities in the Secure Firewall Management Center (FMC) Software, CVE-2026-20079 (authentication bypass) and CVE-2026-20131 (insecure deserialization), both received maximum CVSS scores of 10. This update represents one of the largest patching efforts for Cisco's firewall products.

Cisco has released security updates for 48 vulnerabilities across its firewall platforms, including Cisco Secure Firewall Adaptive Security Appliance and Management Center. Notably, two critical flaws (CVE-2026-20079 and CVE-2026-20131) have a CVSS score of 10, allowing for authentication bypass and remote code execution, respectively. Cisco recommends immediate upgrades to patched software versions, as there are no temporary fixes. The advisory also includes 15 high-severity and 31 medium-severity vulnerabilities.

Tycoon2FA, a phishing-as-a-service platform launched in August 2023, has enabled extensive phishing campaigns targeting over 500,000 organizations monthly. Developed by Storm-1747, it allows attackers to bypass multifactor authentication (MFA) using adversary-in-the-middle techniques. The service has been disrupted by Microsoft and Europol. Tycoon2FA employs sophisticated evasion tactics, including custom CAPTCHAs and dynamic redirects, making detection challenging. Recommendations include adopting phishing-resistant MFA and utilizing Microsoft Defender for threat detection and response.

Microsoft, Europol, and partners dismantled the Tycoon 2FA phishing-as-a-service platform, seizing 330 domains used for credential theft and MFA bypass. Active since 2023, it accounted for 62% of phishing attempts blocked by Microsoft, impacting over 500,000 organizations globally. The operation disrupted a surge in phishing activity, dropping messages by 57.6% post-seizure. Recommendations include deploying phishing-resistant MFA, monitoring for anomalies, and joining ISACs for shared intelligence.

A global coalition led by Microsoft dismantled the Tycoon 2FA phishing kit on Wednesday, seizing 330 domains linked to its infrastructure. Tycoon 2FA, operational since August 2023, was responsible for over 30 million phishing messages monthly, targeting more than 500,000 organizations, particularly in education and healthcare. Microsoft and Health-ISAC filed a civil complaint against its creator, seeking a $10 million injunction. The operation involved authorities from six countries and multiple security firms.

The Tycoon2FA phishing service infrastructure has been dismantled through a coordinated effort led by Microsoft and Europol, involving multiple law enforcement agencies. A US court order enabled Microsoft to seize 330 active domains associated with Tycoon2FA, which was a significant tool for bypassing multifactor authentication. Law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the UK also participated in seizing the service's infrastructure, temporarily disrupting this major phishing operation.

Europol-led efforts dismantled Tycoon 2FA, a major phishing-as-a-service toolkit linked to over 64,000 attacks, impacting nearly 100,000 organizations globally. The service, operational since August 2023, facilitated adversary-in-the-middle credential harvesting, generating millions of phishing emails monthly. Key features included a web-based panel for campaign management and real-time data capture. The operation resulted in the takedown of 330 domains supporting the service, which targeted various sectors, including education and healthcare.

Authorities have disrupted Tycoon 2FA, a phishing-as-a-service platform active since August 2023, which enabled cybercriminals to bypass multi-factor authentication (MFA). At its peak, it accounted for 62% of phishing attempts blocked by Microsoft. Investigators took down 330 domains linked to the service, which generated tens of millions of phishing emails monthly and affected nearly 100,000 organizations globally, including schools and hospitals. The operation was coordinated by Europol with support from Microsoft and law enforcement across several countries.

Europol led a multinational operation to dismantle Tycoon 2FA, a major phishing-as-a-service platform active since August 2023. The operation involved police from several countries and resulted in the seizure of 330 domains used for phishing. Tycoon 2FA enabled unauthorized access to nearly 100,000 organizations, generating tens of millions of phishing emails monthly. The platform, which utilized adversary-in-the-middle attacks, reportedly earned over $400,000 in cryptocurrency before its takedown.

International law enforcement has dismantled the Tycoon 2FA phishing-as-a-service platform, which targeted over 500,000 accounts, including those of hospitals and schools. Authorities seized 330 domains used for phishing operations. Active since 2023, Tycoon 2FA sent tens of millions of phishing emails monthly and was responsible for 62% of phishing attempts blocked by Microsoft. The platform allowed attackers to bypass multi-factor authentication, leading to operational disruptions in healthcare and education sectors.

A coordinated international operation led by Europol has dismantled the Tycoon 2FA phishing platform, which enabled large-scale credential theft by bypassing multi-factor authentication. The operation seized around 330 domains and disrupted the infrastructure used for phishing campaigns targeting over 500,000 organizations. Tycoon 2FA utilized adversary-in-the-middle phishing, capturing session tokens to maintain access. The platform, which emerged in August 2023, was linked to tens of millions of phishing emails monthly.

An international coalition led by Microsoft and Europol has dismantled the Tycoon 2FA phishing platform, which compromised over 96,000 victims globally since 2023, including more than 55,000 Microsoft customers. A U.S. court ordered the seizure of 330 domains supporting Tycoon 2FA's operations. The platform harvested credentials from Gmail and Microsoft 365 accounts, significantly impacting businesses and healthcare providers, with Health-ISAC reporting severe operational disruptions in medical facilities.

Iran-linked hackers are exploiting critical vulnerabilities in IP cameras, specifically targeting Hikvision and Dahua products since late February. Key flaws include CVE-2023-6895 and CVE-2025-34067 in Hikvision's Intercom Broadcasting System, and CVE-2021-33044 in certain Dahua devices. The attacks have primarily affected countries in the Persian Gulf and Middle East, with a noted connection to prior conflicts involving Israel and Iran. The hackers are linked to the Islamic Revolutionary Guard Corps (IRGC).

Multiple Iranian hacking crews have targeted internet-connected surveillance cameras in Israel and other Middle Eastern countries since February 28, exploiting vulnerabilities in Hikvision and Dahua products. Check Point researchers identified hundreds of attempts, linking them to potential physical attacks. Key vulnerabilities include CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, and CVE-2021-33044. Recommendations include updating firmware, removing WAN access, and isolating cameras on dedicated VLANs.

Threat actors are increasingly targeting IP cameras in the Middle East, exploiting vulnerabilities amid ongoing regional conflicts. The attacks aim to gain unauthorized access to surveillance systems, potentially compromising sensitive information and security operations. Organizations are urged to enhance their security measures, including updating firmware, changing default passwords, and implementing network segmentation to protect against these threats.

A spike in scanning for internet-exposed security cameras in Israel and the Middle East has been linked to an Iranian hacking group amid military tensions. The scans targeted Hikvision and Dahua cameras, aiming to exploit vulnerabilities for reconnaissance during missile strikes. Similar tactics were noted in past conflicts, indicating a trend in using hacked cameras for military intelligence. Security experts recommend securing these devices to mitigate risks associated with their exploitation.

Check Point's research reveals hundreds of hacking attempts targeting consumer-grade security cameras in the Middle East, linked to Iranian military activities amid escalating tensions. The attacks exploited five vulnerabilities in Hikvision and Dahua cameras, which had been previously patched. The attempts coincided with US and Israeli air strikes on Iran, with Check Point attributing the efforts to Iranian hacker groups, including Handala, associated with Iran's Ministry of Intelligence and Security.

Iran-linked hackers have targeted IP cameras in Israel and Gulf states for military intelligence, as reported by Check Point on March 7, 2026. Attacks focused on vulnerabilities in Hikvision and Dahua cameras, including CVE-2017-7921 and CVE-2021-33044. The activity surged around geopolitical tensions, with reconnaissance efforts noted during conflicts. Recommendations include securing cameras behind VPNs, changing default passwords, and monitoring for suspicious activity to mitigate risks.

A newly identified malware campaign named "BadPaw" targets Ukraine, utilizing a Ukrainian email service for credibility. The attack begins with an email link that redirects victims to a tracking pixel before delivering a disguised HTA application. The malware checks the system's installation date to avoid detection and uses a scheduled task for persistence. It connects to a C2 server to deploy a backdoor, "MeowMeowProgram[.]exe," featuring multiple defensive layers and Russian-language strings, suggesting a possible Russian developer.

Cybersecurity researchers have uncovered a Russian cyber campaign targeting Ukrainian entities, deploying two new malware families: BadPaw and MeowMeow. The attack begins with a phishing email leading to a ZIP file containing an HTA file that displays a decoy document while executing malicious actions. BadPaw, a .NET loader, fetches the MeowMeow backdoor, which can execute PowerShell commands and manipulate files. The campaign is attributed to APT28, based on targeting patterns and language used in the malware.

A Russian cyberespionage campaign targets Ukrainian entities using new malware families BadPaw and MeowMeow, delivered via phishing emails. The attack begins with a ZIP archive containing an HTA file that lures victims with a decoy document about border crossing appeals. BadPaw, a .NET loader, establishes C2 communication to deploy the MeowMeow backdoor. Both malware strains utilize obfuscation techniques to evade detection, and the campaign is attributed to a Russia-linked group, likely APT28, based on targeting and tactics.

The FBI, in collaboration with international law enforcement, has seized the cybercriminal forum LeakBase, known for trading stolen databases, under “Operation Leak.” The domains now redirect to an FBI seizure banner. Legal actions were based on U.S. and German court orders. All user data, including accounts and IP logs, have been secured for evidence. Authorities encourage former users to report to a dedicated tip-line. This operation significantly impacts the data-leak forum ecosystem.

The FBI and European law enforcement dismantled the Leakbase cybercriminal forum, which sold stolen credentials and exploits. The operation, named “Operation Leak,” involved 100 actions against 45 targets across multiple countries, resulting in 13 arrests and the seizure of the forum's database. Leakbase had over 142,000 members and facilitated access to U.S. networks. The investigation, ongoing for years, revealed the forum's significant role in cybercrime, impacting various businesses.

Authorities from 14 countries, including the FBI and Europol, shut down the cybercrime forum LeakBase, which had over 142,000 members and hosted a vast archive of hacked databases. The operation resulted in multiple arrests and the seizure of domains, user accounts, and sensitive data. LeakBase specialized in leaked databases and stealer logs, with over 32,000 posts. The takedown aimed to disrupt platforms facilitating data theft and hold cybercriminals accountable globally.

U.S. and European law enforcement have seized LeakBase, a major cybercriminal forum with over 142,000 members, known for sharing stolen passwords and hacking tools. Operating since 2021, it maintained a vast archive of hacked databases, including millions of credentials and financial information. The takedown involved around 100 global enforcement actions and targeted the top 37 users. The FBI redirected the domain to its servers, preserving the forum's contents and logs, leading to 13 arrests and investigations of 33 suspects.

A joint operation by the FBI and Europol has dismantled LeakBase, a major forum for trading stolen data, with over 142,000 members. The site, now seized, hosted hacked databases and sensitive information. The operation, named "Operation Leak," occurred on March 3-4, 2026, involving global enforcement actions, including arrests and interviews in multiple countries. Authorities secured all forum content for evidence, targeting users involved in selling stealer logs and facilitating cyber intrusions.

LeakBase, a cybercrime forum with 142,000 users, was dismantled in a global operation led by Europol and 14 countries. Active since 2021, it facilitated the trade of leaked databases and stolen credentials. Authorities seized its database, enabling the identification of users who thought they were anonymous. The takedown occurred in two phases: arrests and searches on March 3, followed by domain seizure on March 4. The operation aims to deter future cybercrime and raise awareness of its consequences.

The FBI and Europol dismantled the LeakBase cybercrime forum on March 3, 2026, as part of "Operation Leak," involving 14 countries. The forum, active since 2021, facilitated the trade of hacking tools and stolen data, boasting over 142,000 users. Law enforcement conducted around 100 interventions targeting key users and seized the forum's domain. The operation aimed to deter cybercrime and raise awareness about the risks of stolen data, emphasizing the need for strong passwords and multi-factor authentication.

Europol coordinated a global operation on March 3, 2025, leading to the takedown of LeakBase, a major forum for stolen data with over 142,000 users. Law enforcement in the US, Australia, and several European countries targeted 37 active users, seizing two domains and the customer database. This operation aims to disrupt the illegal trade in stolen credentials, which saw a significant rise in thefts. Europol emphasized its commitment to holding cybercriminals accountable.

Europol, in collaboration with the FBI, dismantled the LeakBase underground data forum, which had over 142,000 users trading stolen data. On March 3, 2026, law enforcement conducted around 100 actions, including arrests and house searches targeting 37 active users. The forum's domain was seized and defaced, with its database confiscated to deanonymize users. Authorities did not disclose the number of arrests or specific charges. This operation underscores the reach of international law enforcement in combating cybercrime.

Europol announced the closure of LeakBase, one of the largest marketplaces for stolen data, during an international operation. The Amsterdam police reported that LeakBase had 142,000 registered users and its servers were located in Amsterdam. On a coordinated action day, investigators from 14 countries conducted around 100 operations targeting the platform's 37 main users. Europol described LeakBase as a central hub in the cybercrime ecosystem, specializing in the trade of stolen data.

Europol announced the closure of Leakbase, one of the world's largest marketplaces for stolen data, during an international operation led by the Amsterdam police. The platform had 142,000 registered users and was accessible on the open internet. On a coordinated action day involving 14 countries, approximately 100 operations targeted the 37 main users of the site. Europol described Leakbase as a central hub in the cybercrime ecosystem specializing in the trade of stolen data.

On October 2023, an international law enforcement operation led by Europol dismantled the LeakBase cybercrime forum, which specialized in trading stolen databases and credentials. Authorities from 14 countries seized the forum's domains and backend data, executing around 100 enforcement actions, including arrests. LeakBase had over 142,000 registered members and facilitated account takeover attacks and fraud. The operation aimed to disrupt cybercrime infrastructure, although similar forums may quickly reemerge.

The LeakBase cyberforum, a major marketplace for stolen data and cybercrime tools, was seized by US authorities with coordinated actions in 14 countries. The US Department of Justice announced that law enforcement captured data and two domains associated with the forum, which had 142,000 users. Arrests were made and search warrants executed in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK. "Prevention messages" were also sent to members of LeakBase.

APT group Silver Dragon, linked to APT41, has been targeting government entities in Europe and Southeast Asia since mid-2024. They exploit public-facing servers and use phishing emails with malicious attachments for initial access. Their tactics include AppDomain hijacking, deploying Cobalt Strike beacons, and utilizing Google Drive for command-and-control. Tools like MonikerLoader and BamboLoader facilitate payload injection and persistence. The group shows advanced capabilities with custom tools for data exfiltration and lateral movement.

A China-linked APT group, Silver Dragon, has been targeting government and high-profile organizations in Europe and Southeast Asia since mid-2024. They exploit public-facing servers and use phishing emails to deploy Cobalt Strike beacons for control. Their primary tool, GearDoor, utilizes Google Drive for command-and-control, making detection challenging. Recommendations include monitoring cloud storage traffic, auditing Windows services, and enhancing phishing awareness training for government personnel.

Chinese state-backed group Silver Dragon has been targeting government entities in Europe and Asia since mid-2024, utilizing phishing emails and compromised servers for cyber-espionage. They employ a custom backdoor, GearDoor, which uses Google Drive for command-and-control, allowing covert data exfiltration. The group also hijacks legitimate Windows services to load malicious code, blending into normal system activity to evade detection. This tactic increases risk by exploiting trusted cloud services and operating system components.

LexisNexis confirmed a contained breach where hackers accessed legacy data, including millions of records and .gov email addresses. The breach involved 2 GB of information from a limited number of servers, primarily containing data prior to 2020, such as customer names, user IDs, and support tickets. The company stated there was no evidence of compromise to its products and services and has engaged a cybersecurity firm for investigation. Impacted customers have been notified.

American analytics firm LexisNexis confirmed a data breach involving outdated data, claiming hackers accessed legacy information prior to 2020. The group FulcrumSec leaked 2GB of files, asserting they accessed sensitive data, including hundreds of government user records and 400,000 cloud user profiles. LexisNexis stated no sensitive personally identifiable information or financial data was compromised. The company believes the attack is contained and did not engage with the hackers' ransom demands.

LexisNexis confirmed a data breach in its Legal & Professional division, attributed to the Fulcrumsec cybercrime group. The breach involved limited access to legacy data, including customer names, user IDs, and business contact information, but did not expose sensitive PII or financial data. Fulcrumsec claims to have exfiltrated over 2 GB of data, including 400,000 user profiles and details on government staff. LexisNexis is investigating and has engaged a third-party forensics team for remediation.

Cloudflare's 2026 cyber threat report reveals it blocks over 230 billion threats daily, highlighting a shift in attack methods. Infostealers like LummaC2 are now extracting session tokens, leading to 54% of ransomware attacks. Bots account for 94% of login attempts, with many using compromised credentials. Threat actors exploit cloud services for attacks, while phishing exploits email authentication gaps. DDoS attacks doubled in 2025, with a record 31.4 Tbps attack. North Korean operatives use deepfake profiles to infiltrate Western organizations.

Cloudflare's 2026 Threat Report reveals that bots account for 94% of fraudulent logins, with AI being exploited by both state-sponsored and independent cybercriminals. Notable tactics include using AI for network mapping and deepfake creation. North Korean operatives are infiltrating Western payrolls, while Chinese-linked groups target critical infrastructure in North America. DDoS attacks have surged, with botnets like Aisuru capable of overwhelming networks. Organizations are urged to adopt proactive intelligence-driven security measures.

On March 3, 2026, Cloudflare's inaugural Threat Report highlights the rapid evolution of cyber attacks driven by AI. Key findings include the rise of token theft, hyper-volumetric DDoS attacks reaching 31.4 Tbps, and state-sponsored groups exploiting deepfakes for espionage. Attackers now utilize trusted tools for command-and-control, complicating detection. Recommendations include adopting autonomous defenses, enforcing email authentication protocols, and implementing Zero Trust access controls to counter these threats effectively.

Cloudflare's 2026 Threat Report reveals a significant shift in cyberattacks driven by Generative AI (GenAI), marking the first recorded AI-based attack that compromised hundreds of corporate tenants. The report highlights the rise of DDoS attacks, with botnets like Aisuru posing nation-state level threats, and emphasizes the need for organizations to adopt real-time intelligence to counter evolving tactics. North Korean groups are also leveraging AI for espionage, using deepfakes to infiltrate companies.

A powerful iOS exploit kit named "Coruna" has been linked to various threat actors, evolving from surveillance to financial crime. It contains five exploit chains and 23 exploits, including CVE-2024-23222 and CVE-2022-48503. Targeting iOS versions 13.0 to 17.2.1, it was first observed in February 2025. The kit can exfiltrate sensitive information from crypto-wallet apps. Users are advised to upgrade to the latest iOS version or use Lockdown Mode to mitigate risks.

A sophisticated iPhone-hacking toolkit named "Coruna," capable of exploiting 23 iOS vulnerabilities, has transitioned from Russian espionage to cybercriminal use targeting Chinese-speaking victims. Google researchers linked Coruna to a US government contractor, suggesting it may have originated as a government tool. The toolkit's proliferation raises concerns about the security of mobile devices, paralleling the infamous EternalBlue incident. Google warns of an active market for second-hand zero-day exploits.

An exploit kit, potentially derived from a leaked U.S. government framework, is linked to the first mass-scale attack on iOS, affecting at least 42,000 devices. Researchers from Google and iVerify noted its use by Chinese cybercriminals and in Russian attacks on Ukraine. The Coruna exploit kit exemplifies the proliferation of sophisticated zero-day exploits. Apple has issued multiple patches in response, while the NSA declined to comment on allegations of U.S. involvement.

A suite of hacking tools, dubbed Coruna, originally developed for government use, has been identified as being exploited by cybercriminals to compromise Apple iPhones running older software. Google discovered the kit in February 2025, initially linked to a surveillance vendor's attempt to hack a phone. The tools can bypass iPhone defenses via malicious websites, affecting devices from iOS 13 to 17.2.1. iVerify suggests the tools may be linked to the U.S. government, highlighting risks of government exploits leaking to malicious actors.

Google's Threat Intelligence Group uncovered the Coruna exploit kit, a sophisticated iOS attack framework with 23 exploits targeting iPhones running iOS 13.0 to 17.2.1. It evolved through three phases in 2025, from commercial surveillance to state-sponsored espionage and financial fraud. Key CVEs include CVE-2021-30952 and CVE-2023-43000. The final payload, PlasmaLoader, targets cryptocurrency wallets and Apple Notes. Users are advised to update iOS, enable Lockdown Mode, and avoid unverified financial sites.

A complex exploit kit named "Coruna," targeting iPhones, has been discovered by Google researchers. Initially used by a surveillance software customer, it has since been employed by Russian and Chinese threat actors. The kit, potentially developed by the US government, contains 23 exploits for mass attacks on devices running iOS 13.0 to 17.2.1. Users are advised to upgrade their iOS or enable Lockdown Mode for protection. The kit aims to access financial and personal information.

Google identified the Coruna exploit kit targeting iOS 13–17.2.1, featuring 23 exploits across five chains. Active since February 2025, it evolved from commercial surveillance to government and criminal use. Key CVEs include CVE-2024-23222 and CVE-2023-43000. The kit employs a JavaScript framework for device fingerprinting and exploits delivery. Notably, it avoids execution in Lockdown Mode. Users are advised to update devices and enable Lockdown Mode for enhanced security.

Google has identified the Coruna iOS exploit kit, targeting iPhones running iOS 13–17.2.1, utilizing 23 exploits across five chains. The kit is ineffective against the latest iOS version. It has been used in targeted attacks by surveillance vendors and broader campaigns by Chinese threat actors. The exploits include RCE and PAC bypasses, with a payload designed to steal financial information and scan for crypto wallets. Google has shared IOCs and Yara rules to aid in detection and prevention.

A sophisticated exploit kit named Coruna targets iPhones running iOS 13.0 to 17.2.1, comprising 5 exploit chains and 23 vulnerabilities to extract financial data. Initially linked to a surveillance vendor and later to Russian espionage group UNC6353, it re-emerged in 2025 with Chinese actor UNC6691 using fake financial sites. Key features include device fingerprinting and bypassing Apple security. The payload, PlasmaLoader, collects financial data and transmits it to attackers. Users are advised to update to the latest iOS or enable Lockdown Mode.

Google's threat intelligence researchers report that the Coruna iOS exploit kit has evolved from a tool used by a commercial surveillance vendor to a mass criminal campaign within a year. Initially utilized by a suspected Russian espionage group, it is now in the hands of Chinese cybercriminals. The kit includes five exploit chains made up of 23 exploits targeting iPhones on iOS versions 13.0 to 17.2.1, indicating a thriving market for second-hand zero-day exploits.

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to patch three critical iOS vulnerabilities exploited over 10 months by three hacking groups using the Coruna exploit kit. This kit contains 23 iOS exploits and poses a significant threat to iOS versions 13 to 17.2.1. CISA advises all organizations to patch these vulnerabilities. Coruna features advanced capabilities, including a unique JavaScript framework for device fingerprinting and exploit delivery.

Researchers from Zenity Labs discovered vulnerabilities in Perplexity's Comet browser that allowed attackers to access local files and potentially hijack 1Password accounts via malicious calendar invites. The browser's failure to enforce cross-origin restrictions enabled unauthorized file access. After notifying Perplexity on October 22, 2025, a fix was implemented but was later bypassed. A second patch on February 13, 2026, addressed the issue. 1Password also issued a security advisory to enhance protections.

Researchers at Zenity Labs identified vulnerabilities in multiple agentic AI browsers, including Perplexity’s Comet, allowing attackers to hijack the browser via legitimate calendar invites using prompt injection. This exploitation enables unauthorized access to local file systems and password managers without malware. The vulnerabilities were reported to Perplexity in 2022, with a fix issued in February 2026. Prompt injection attacks pose significant challenges for AI integration, as complete elimination of such flaws may be impossible.

Zenity Labs disclosed the PleaseFix vulnerabilities affecting agentic browsers like Perplexity Comet, allowing attackers to hijack AI agents, access local files, and steal credentials. The vulnerabilities enable zero-click agent compromise and manipulation of password manager interactions. These exploits leverage autonomous actions within authenticated sessions, exposing sensitive data without user awareness. Perplexity has addressed the underlying issues prior to the public disclosure.

A critical vulnerability, dubbed PerplexedBrowser, has been discovered in Perplexity’s Comet browser, allowing a zero-click attack via a poisoned Google Calendar invite. This exploit can exfiltrate local files and credentials, including 1Password data. The attack merges legitimate user requests with hidden malicious payloads, directing the browser to an attacker-controlled site. This is the sixth major flaw since Comet's launch in July 2025. Users are advised to secure password managers and limit agent access to sensitive domains.

A security vulnerability named PleaseFix was identified in the Comet AI browser, allowing attackers to hijack the AI assistant via malicious calendar invites. This zero-click attack can steal local files or access a user's 1Password vault, enabling full account takeover. Zenity Labs reported the issue to Perplexity on 22 October 2025, leading to fixes implemented by 13 February 2026. Users must opt-in to new security settings to protect against these risks, highlighting the need for caution with AI-powered browsers.

In January 2026, the Iran-linked APT group Dust Specter targeted Iraqi government officials using AI-assisted malware. The campaign introduced four new malware tools: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. SPLITDROP, disguised as a WinRAR application, decrypted and deployed malware silently. GHOSTFORM posed as a government survey while executing malware. The attack utilized DLL sideloading for persistence and employed AI in code development. Recommendations include application allowlisting and monitoring for suspicious activity.

A campaign attributed to the Iran-linked threat actor Dust Specter targets Iraqi government officials by impersonating the Ministry of Foreign Affairs. Observed by Zscaler ThreatLabz in January 2026, the campaign uses malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The attacks employ sophisticated evasion techniques and command-and-control mechanisms. GHOSTFORM consolidates functionalities into a single binary, utilizing in-memory execution and embedding a Google Forms URL masquerading as an official survey.

Iran-linked APT Dust Specter is targeting Iraqi officials with phishing emails delivering new malware, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign, observed by Zscaler ThreatLabz, uses social engineering tactics, impersonating Iraq’s Ministry of Foreign Affairs. Attack Chain 1 involves a password-protected RAR archive deploying malware, while Attack Chain 2 consolidates functionality into a single binary. Indicators suggest generative AI may have aided in malware development.

Google's March 2026 Android Security Bulletin addresses 129 vulnerabilities, including a high-severity zero-day (CVE-2026-21385) in Qualcomm Display, currently exploited in targeted attacks. The update includes critical patches for Remote Code Execution (CVE-2026-0006) and Elevation of Privilege vulnerabilities. Users should apply the 2026-03-05 patch level for full protection. Google collaborates with vendors to secure hardware components, and source code patches will be available in 48 hours. Google Play Protect continues to monitor threats.

Google disclosed CVE-2026-21385, a high-severity buffer over-read vulnerability in a Qualcomm component used in Android devices, exploited in the wild. The flaw, reported on December 18, 2025, has a CVSS score of 7.8. Google’s March 2026 update includes patches for 129 vulnerabilities, including critical flaws like CVE-2026-0006, CVE-2026-0047, and several privilege escalation issues. Two patch levels, 2026-03-01 and 2026-03-05, were provided for Android partners to address vulnerabilities efficiently.

The Android March 2026 security patch addresses over 100 vulnerabilities, including CVE-2026-21385, which is under targeted exploitation and affects Qualcomm Display. Critical vulnerabilities include CVE-2026-0006 (remote code execution) and CVE-2025-48631 (denial of service). The Framework section lists over 30 CVEs, primarily elevation-of-privilege issues. Third-party vendors like MediaTek and Qualcomm contribute significantly to the CVE count. Patches will be available through Google Play for devices on Android 10 and later.

Google confirmed the exploitation of Qualcomm vulnerability CVE-2026-21385 (CVSS 7.8) in Android devices, allowing attackers to access sensitive memory data. Reported by Google on December 18, 2025, Qualcomm notified customers on February 2, 2026. The March 2026 Android update addresses 129 vulnerabilities, including critical flaws like CVE-2026-0006 (CVSS 9.8) for remote code execution. Two patch levels (2026-03-01 and 2026-03-05) were introduced for faster fixes.

Google's March 2026 Android update addresses 129 vulnerabilities, including 10 critical bugs. Notably, CVE-2026-21385, a buffer over-read vulnerability in Qualcomm's Graphics component, has a severity score of 7.8/10 and is reportedly exploited in the wild across 235 chipsets. Two patch levels (2026-03-01 and 2026-03-05) were released, with Pixel devices prioritized for updates. The vulnerabilities could lead to remote code execution, privilege escalation, and DoS attacks.

Google's March 2026 Android Security Bulletin addresses 129 vulnerabilities, including CVE-2026-21385, a high-severity Qualcomm graphics/display flaw actively exploited in targeted attacks. Affected devices include over 230 Qualcomm chipset models, potentially impacting hundreds of millions globally. Users are advised to update to patch level 2026-03-05 or later and follow safety precautions, such as installing apps only from official stores and scrutinizing app permissions to mitigate risks.

Microsoft has reported ongoing OAuth abuse scams targeting government and public-sector organizations, utilizing phishing emails and URL redirects to deliver malware. Attackers exploit OAuth's redirect feature to lead victims to malicious landing pages. Campaigns involve phishing emails with various lures, and attackers use tools to distribute messages. The malicious payloads include ZIP files and LNK shortcuts that execute PowerShell commands, ultimately connecting to external command-and-control endpoints. Microsoft emphasizes the need for ongoing monitoring.

Microsoft reported phishing campaigns targeting government and public-sector organizations using OAuth URL redirection to deliver malware. Attackers create malicious applications with redirect URLs to rogue domains, tricking users into downloading malware via crafted OAuth links. The malware, distributed as ZIP files, executes PowerShell commands and sideloads a malicious DLL. Emails use themes like e-signature requests to lure victims. Microsoft advises limiting user consent and reviewing application permissions to mitigate risks.

Microsoft researchers have identified phishing campaigns exploiting OAuth URL redirection to target government organizations. Attackers create malicious OAuth applications to redirect users to attacker-controlled sites, bypassing traditional defenses. By manipulating OAuth parameters, they trigger errors that lead to malware downloads, including ZIP files with LNK shortcuts. Recommendations include governing OAuth applications, limiting user consent, and enhancing identity protection to mitigate risks associated with these identity-based threats.

Microsoft has alerted that phishers are misusing OAuth's redirect feature to lead victims to malware via links appearing to originate from legitimate identity providers like Microsoft Entra ID and Google Workspace. These links, while seemingly safe, redirect users to malicious sites. Microsoft has disabled several malicious OAuth applications but cautions that such phishing campaigns persist and necessitate continuous monitoring.

Microsoft warns of phishing campaigns exploiting the OAuth redirect feature to deliver malware and steal credentials. Attackers send emails themed around Teams recordings or Microsoft 365 resets, redirecting victims to malicious sites. Payloads are delivered via ZIP files containing LNK shortcuts and HTML smuggling, leading to PowerShell commands that connect to external C2 endpoints. Victims do not lose credentials on the OAuth page; the redirect is solely for payload delivery. The extent of the campaign's impact on government organizations remains unclear.

An ongoing phishing campaign is exploiting OAuth redirection to deliver malware, targeting government and public-sector organizations. Attackers manipulate legitimate OAuth login flows, redirecting users from trusted pages to malicious sites. The campaign begins with deceptive emails leading to authentic-looking OAuth pages, which then redirect to attacker-controlled sites. Microsoft advises organizations to govern OAuth applications, limit user consent, and implement identity protection measures to mitigate risks.

A new phishing attack exploiting OAuth in Microsoft Entra ID has been reported, targeting government and public-sector organizations. Attackers use legitimate redirection to bypass defenses, registering malicious applications to redirect users to attacker-controlled domains without stealing tokens. The five-stage attack includes email delivery, silent OAuth probing, error redirects, malware delivery, and endpoint persistence. Microsoft recommends restricting user consent, auditing OAuth registrations, enabling Conditional Access, and monitoring suspicious redirect URIs.

Attackers exploit OAuth error redirects to facilitate phishing and malware attacks, redirecting users from legitimate Microsoft or Google login URLs to malicious sites without stealing tokens. The attack involves deceptive emails prompting users to click links that appear trustworthy. Once clicked, users are redirected to attacker-controlled pages that mimic legitimate sites, leading to credential theft or malware downloads. Recommendations include verifying links, being cautious with unexpected downloads, and keeping security tools updated.

The University of Hawaiʻi Cancer Center's Epidemiology Division reported a data breach affecting approximately 1.15 million individuals, with exposed information including Social Security numbers, driver’s license numbers, and voter registration records. The breach involved files from epidemiological studies dating back to the 1990s. Notifications to affected individuals began on February 23, 2026. Experts emphasize the importance of preventing unauthorized access and maintaining operational resilience against cyberattacks in healthcare.

A ransomware attack on the University of Hawaiʻi Cancer Center on August 31, 2025, exposed personal data of approximately 1.2 million individuals. The breach affected research operations, compromising names, Social Security numbers, driver’s license details, and health-related information. The organization has engaged law enforcement and cybersecurity experts for investigation. Affected individuals are offered 12 months of free credit monitoring and identity theft protection services.

A ransomware attack at the University of Hawaii Cancer Center affected approximately 1.24 million individuals, first detected on 31 August 2025. The breach involved historical records from 1998-2000 and data from 87,493 participants in the Multiethnic Cohort Study, including SSNs and health information. The university decided to pay a ransom for a decryption tool and assurance of data destruction. They offer 12 months of free credit monitoring and $1 million in identity theft insurance. Concerns were raised about the delay in public notification.

A high-severity vulnerability in Google Chrome's Gemini AI assistant, tracked as CVE-2026-0628, allows attackers to remotely access users' cameras and microphones, steal local files, and conduct phishing attacks without user interaction. Discovered by Palo Alto Networks on October 23, 2025, the flaw exploits how Chrome handles the declarativeNetRequest API, granting elevated permissions to malicious extensions. Google released a patch on January 5, 2026. Organizations are urged to update Chrome immediately to mitigate risks.

A newly disclosed vulnerability in Google Chrome, tracked as CVE-2026-0628 (CVSS score: 8.8), allowed attackers to escalate privileges via malicious extensions, potentially accessing local files and sensitive data. Patched in January 2026, the flaw stemmed from insufficient policy enforcement in the WebView tag. Discovered by Palo Alto Networks on November 23, 2025, it could enable unauthorized access to the camera, microphone, and screenshots through the Gemini panel, highlighting risks from AI integration in browsers.

A vulnerability in Google Chrome, tracked as CVE-2026-0628, allows malicious extensions to hijack the Gemini Live AI assistant, enabling spying and file theft. Discovered by Palo Alto Networks, the flaw permits extensions with basic permissions to inject JavaScript into the Gemini panel, accessing local files, camera, and microphone without user consent. The vulnerability was responsibly disclosed on October 23, 2025, and patched in early January 2026. This highlights risks associated with AI-integrated browser features.

A high-severity vulnerability in Google Chrome, tracked as CVE-2026-0628, was discovered by Palo Alto Networks' Unit 42. Malicious extensions could exploit this flaw to hijack the Gemini Live AI panel, gaining unauthorized access to system resources like webcams and local files. Google patched the issue in January with updates 143.0.7499.192 and 143.0.7499.193. The incident highlights risks associated with integrating AI features into core software, as attackers are increasingly leveraging AI in their tools.

A high-severity vulnerability in Chrome's Gemini panel, tracked as CVE-2026-0628, allowed low-privilege extensions to inject code and gain access to sensitive capabilities like local file access, screenshots, and camera/microphone control. This flaw was patched in January 2026. Users are advised to limit extensions, prefer well-audited ones, and monitor for unusual activity, as the Gemini panel's trusted status could mislead users about its security.

A series of cyber operations targeted Iranian news websites and a popular religious calendar app, BadeSaba, following US-Israeli strikes. Internet connectivity in Iran dropped significantly. The hackers displayed messages on the hacked sites and app, urging armed forces to surrender. Reports suggest that military targets and government services were also affected to disrupt a coordinated national response, though these claims remain unverified.

A surge in global cyber activity has been triggered by military strikes in the Middle East, particularly following joint Israeli-US operations against Iran on February 28, 2026. These strikes were accompanied by a significant cyber campaign that disrupted Iran's digital infrastructure, affecting government services and critical sectors. Experts anticipate intensified cyber retaliation from Iran, including DDoS attacks and ransomware. Organizations are advised to enhance security measures, including multi-factor authentication and offline backups, to mitigate risks.

Iran is expected to launch cyber-attacks globally in response to US and Israeli air strikes, according to John Hultquist of Google Threat Intelligence. The focus has shifted from Israel to other Gulf Cooperation Council countries, which may have less mature security. Hultquist warns of blurred lines between Iranian state actors and cybercriminals, predicting attacks disguised as hacktivism or ransomware. The National Cyber Security Centre advises organizations with Middle East operations to review their cybersecurity posture due to heightened risks.

Security researchers warn of increased cyber threats from Iran-linked hackers following U.S. and Israeli military actions. These groups are ramping up reconnaissance and DDoS attacks, targeting critical infrastructure in the U.S., Israel, and Gulf Cooperation Council countries. Specific threats have been made against the financial services sector. The UK National Cyber Security Centre advises businesses to enhance security measures due to the heightened risk of hacktivist attacks amid regional tensions.

The UK's National Cyber Security Centre (NCSC) warns businesses to enhance cyber defenses amid escalating Middle East tensions. While no significant direct threat from Iran exists currently, indirect threats are likely for organizations linked to the region. The NCSC advises firms to review security basics, tighten access controls, and sign up for its Early Warning service. Security experts anticipate an increase in Iranian cyber activity, including potential targeting of critical infrastructure and networks.

The UK’s NCSC issued a warning on March 2, 2026, regarding potential Iranian cyber threats due to rising Middle East tensions. While no immediate threat to the UK is noted, organizations with regional operations are urged to enhance defenses against possible indirect threats. Recommendations include reviewing DDoS and phishing guidance, strengthening security postures, and enrolling in the NCSC's Early Warning service. CrowdStrike reports Iran-linked hackers are already conducting DDoS and reconnaissance activities.

Iranian hackers have intensified cyber operations, including DDoS attacks and malware staging, following recent US and Israeli missile strikes. Targeting Israel and Gulf nations, the Iranian group Cotton Sandstorm has resumed activities, deploying infostealers and ransomware. Analysts warn US-linked organizations, especially defense contractors, should heighten security. Disinformation campaigns are also prevalent, complicating the threat landscape. Organizations are advised to patch systems and enhance security training.

Increased Iranian hacktivist activity has been observed following U.S. and Israeli military strikes on Iran on February 28, 2026. Groups like Handala Hack Team and APTIran are inciting cyberattacks against Israeli targets, utilizing tactics such as DDoS and doxxing. The BaqiyatLock ransomware group is offering free memberships to hacktivists. Organizations, especially in the U.S. and Middle East, are advised to enhance defenses, patch known vulnerabilities, and maintain robust monitoring practices to mitigate risks.

Cisco Talos is monitoring the ongoing Middle East conflict, noting minor cyber incidents like web defacements and DDoS attacks. Historically, Iranian groups engage in espionage and destructive attacks. Recommendations for organizations include enabling multi-factor authentication, being cautious with unsolicited links, and assessing third-party risks. Employees should be warned about potential "hacktivist" lures, and organizations should enhance their cybersecurity hygiene and patch management to mitigate risks.

On Feb. 28, 2026, following U.S. and Israeli military operations, Iran's internet connectivity plummeted to 1-4%, limiting state-aligned cyberattack capabilities. Hacktivist groups, including Handala Hack and APT Iran, have increased disruptive operations against perceived adversaries. A phishing campaign using a fake Israeli app was identified, alongside social engineering scams in the UAE. Pro-Russian groups also targeted Israeli systems. Recommendations include enhancing data protection, employee training, and maintaining updated security measures.

The National Cyber Security Centre (NCSC) warns UK businesses to enhance cyber defenses amid the ongoing Middle East conflict, which may lead to indirect cyber threats from Iranian state actors. While no immediate threat is noted, organizations with ties to the region should adjust their cybersecurity posture, monitor for DDoS attacks, phishing, and ICS targeting. The NCSC advises signing up for its Early Warning service and reviewing guidance for critical national infrastructure in light of potential cyber threats.

On February 28, 2026, the U.S. and Israel initiated Operation Epic Fury and Operation Roaring Lion, leading to a significant cyber conflict with Iran. Iran's internet access plummeted to 1-4%, disrupting its cyber units. A phishing campaign mimicking the Israeli RedAlert app was identified, while hacktivist groups surged, targeting Israeli and Western assets. The "Electronic Operations Room" coordinated attacks, including DDoS and infrastructure compromises. Recommendations include offline data storage and employee training on phishing.

Cyber operations significantly supported the recent U.S.-Israeli military campaign against Iran, which resulted in the death of Supreme Leader Ali Khamenei. U.S. Gen. Dan Caine confirmed that coordinated cyber efforts disrupted Iranian communications and sensor networks. Israel hijacked state media broadcasts to influence public sentiment and utilized hacked traffic cameras for intelligence. Additionally, hackers breached an Iranian prayer app to send pro-liberation messages. Iranian cyber responses have been largely ineffective.

US Cyber Command executed cyber operations to disrupt Iranian defenses prior to a US-Israeli military strike that resulted in the death of Iran's leader Ali Khamenei. The operations, which included disrupting communications and sensor networks, were complemented by Israeli cyber units targeting mobile towers. Iranian responses included missile attacks on US bases and potential cyber retaliation, although internet outages hindered immediate cyber operations. Cybersecurity firms anticipate various cyber threats from Iran.

Five days into the conflict between the US and Israel and Iran, significant cyberattacks from Iran have not yet occurred, but experts caution that the threat remains high due to Iran's active cyber capabilities. The UK NCSC and Canadian CCCS issued warnings about potential Iranian cyber campaigns, while CISA has not updated its warnings since October. The NCSC highlighted an increased risk of indirect cyber threats for organizations with ties to the Middle East.

Google announced a plan to enhance HTTPS certificate security against quantum computer attacks in its Chrome browser. Current X.509 certificates are 64 bytes, while quantum-resistant versions require about 2.5 kilobytes, risking slower connections. To mitigate this, Google and Cloudflare are utilizing Merkle Trees, which allow a Certification Authority to sign a single 'Tree Head' for multiple certificates, sending only a lightweight proof of inclusion to the browser, thus maintaining performance during the transition.

Google's Chrome team has initiated a plan to develop quantum-safe HTTPS certificates, focusing on Merkle Tree Certificates (MTCs) to enhance security against future quantum threats. This approach replaces traditional digital signatures with a compact proof from a Merkle tree, reducing data transmission during TLS handshakes. A three-phase rollout includes feasibility studies and public deployment, with a dedicated quantum-resistant root store expected by Q3 2027. Existing certificate authorities will continue to be supported during the transition.

Google is developing Merkle Tree Certificates (MTCs) for quantum-resistant HTTPS in Chrome, aiming to enhance security against future quantum computing threats. MTCs streamline the TLS handshake by allowing a single 'Tree Head' to represent multiple certificates, minimizing bandwidth usage. The rollout will occur in three phases, with feasibility studies ongoing and plans to involve Certificate Transparency Log operators by Q1 2027. Full implementation in the Chrome Quantum-resistant Root Store is expected by Q3 2027.

Google has introduced Merkle Tree Certificates (MTCs) to enhance HTTPS security against quantum computing threats. Collaborating with the IETF, Chrome is prioritizing MTCs over traditional X.509 certificates, addressing bandwidth issues associated with post-quantum cryptography. MTCs utilize compact proofs instead of heavy certificate chains, ensuring efficiency and transparency. The rollout includes three phases, with Phase 1 underway, Phase 2 set for Q1 2027, and Phase 3 launching a Quantum-resistant Root Store in Q3 2027.

Google plans to enhance HTTPS certificate security against quantum computing threats by integrating post-quantum cryptographic algorithms like ML-DSA. This aims to prevent forgery of certificates, which could exploit vulnerabilities in classical cryptography. To address size concerns, Google employs Merkle Tree Certificates (MTCs) to reduce data overhead, ensuring efficient browser operations. Chrome has implemented MTCs, with Cloudflare testing around 1,000 certificates for performance. A working group is coordinating standards for this initiative.

A vulnerability in OpenClaw, identified as ClawJacked (CVE-2026-25253), allows websites to hijack AI agents by exploiting a flaw in the software's main gateway. Researchers demonstrated that a malicious website could silently connect to the AI tool via WebSockets, bypassing user awareness. The attacker could gain admin-level access, compromising sensitive information. OpenClaw released a fix within 24 hours, urging users to update to version 2026.2.25 or later. Experts emphasize the need for stricter security measures for AI agents.

OpenClaw addressed a high-severity vulnerability, codenamed ClawJacked, allowing malicious websites to hijack local AI agents via WebSocket. The flaw exploited a lack of rate-limiting on the gateway password, enabling attackers to gain admin access. OpenClaw released a fix on February 26, 2026. Additionally, multiple vulnerabilities (CVE-2026-25593, CVE-2026-24763, etc.) were identified, leading to remote code execution risks. Users are advised to audit access and apply updates promptly.

A critical zero-interaction vulnerability in OpenClaw, an open-source AI agent framework, allows malicious websites to gain full control of a developer's AI agent without user action. The attack exploits a local WebSocket gateway, enabling attackers to brute-force passwords and register as trusted devices. This can lead to full workstation compromise. Users are advised to update to version 2026.2.25, audit OpenClaw instances, and establish governance policies for AI agents. The vulnerability has been classified as high severity.

A high-severity vulnerability named "ClawJacked" in OpenClaw allowed malicious websites to hijack local AI agent instances, enabling silent data theft. Discovered by Oasis Security, the flaw exploited the local WebSocket gateway, permitting brute-force attacks on the gateway password without rate limiting. OpenClaw released a patch (version 2026.2.26) on February 26, 2026. Organizations are advised to update immediately and audit AI agent permissions to enhance security governance.

OpenClaw users are advised to upgrade to version 2026.2.25 or later due to the "ClawJacked" bug, a high-severity vulnerability allowing remote control via an indirect prompt injection attack. The gateway's default localhost binding can be exploited by malicious JavaScript to brute-force passwords and register as a trusted device without user consent. This grants attackers full access to the OpenClaw instance. Organizations are urged to address this and other recent vulnerabilities in the platform.

A high-severity vulnerability in OpenClaw, an open-source AI agent platform, was discovered by Oasis researchers, allowing attackers to brute-force local gateway authentication via malicious websites. This flaw enables full control over the AI agent, including access to sensitive data. The vulnerability was patched within 24 hours, and users are advised to upgrade to version 2026.2.25 or later to mitigate risks.

The North Korean threat actor ScarCruft has launched the Ruby Jumper campaign, utilizing tools like RESTLEAF and THUMBSBD to breach air-gapped networks. RESTLEAF employs Zoho WorkDrive for command-and-control communications. The attack begins with a malicious LNK file that executes a PowerShell script to deploy various payloads. THUMBSBD and VIRUSTASK facilitate command relay and data transfer via removable media. The campaign marks a novel use of cloud services for malware deployment and targets isolated systems.

North Korea's APT37 has launched a new campaign, dubbed ‘Ruby Jumper,’ targeting air-gapped networks using removable media for infection. Discovered by Zscaler ThreatLabz in December 2025, the campaign utilized six malicious tools, five of which were previously undocumented. APT37 gained access through malicious Windows shortcut (LNK) files, which executed PowerShell commands to extract payloads. The campaign marks an expansion of APT37's operations beyond South Korea to various industries in Japan, Vietnam, and the Middle East.

North Korea-linked APT37, in its Ruby Jumper campaign, utilized Zoho WorkDrive and USB malware to infiltrate air-gapped networks. Discovered by Zscaler ThreatLabz in December 2025, the attack begins with malicious LNK files and employs tools like RESTLEAF and SNAKEDROPPER to deliver backdoors for surveillance. THUMBSBD bridges air-gapped systems using USB drives for data exfiltration. The campaign highlights the need for enhanced monitoring of endpoint activity and physical access to combat such threats.

The Netherlands' national police support Odido's refusal to pay ransom after ShinyHunters leaked a second batch of 1 million records, totaling 6.2 million affected customers. The leaks include sensitive data like email addresses, bank account numbers, and personal information. The police advise against paying ransoms, emphasizing that it does not guarantee data safety. Odido is offering affected customers a 24-month subscription to F-Secure's digital security package for protection against threats.

ShinyHunters has leaked 2 million records from Dutch telecom provider Odido after the company refused to pay a €1 million ransom. The breach, affecting 6.2 million customers according to Odido, may involve up to 21 million records, including sensitive data like addresses, emails, and bank details. Odido has confirmed that plaintext passwords were not compromised and is offering affected customers a free 24-month digital security package. The Dutch police advise against paying ransoms.

ShinyHunters leaked the full dataset of Odido, a Dutch telecommunications company, affecting 6.2 million accounts. The breach, confirmed in mid-February, exposed names, addresses, phone numbers, email addresses, bank details, dates of birth, and ID numbers, but not passwords or billing info. A final dump revealed an additional 4.6 million unique email addresses, totaling 6.1 million across four releases. The data breach notification service Have I Been Pwned has added the compromised dataset to its archive.